From: Joey Hess Date: Sat, 18 Apr 2015 16:35:36 +0000 (-0400) Subject: Merge branch 'master' of ssh://git.ikiwiki.info X-Git-Tag: 3.20150610~103 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/2906a3f0f7b6e70197a46104fbad23d70c116c56?hp=3fe1f39f88b68e6ca4301fec50c5003250e82ee6 Merge branch 'master' of ssh://git.ikiwiki.info --- diff --git a/doc/bugs/XSS_Alert...__33____33____33__.mdwn b/doc/bugs/XSS_Alert...__33____33____33__.mdwn index d10361075..cb9618777 100644 --- a/doc/bugs/XSS_Alert...__33____33____33__.mdwn +++ b/doc/bugs/XSS_Alert...__33____33____33__.mdwn @@ -38,3 +38,16 @@ raghav007bisht@gmail.com >> until the maintainer can respond ("[[!wikipedia responsible disclosure]]"). >> In this particular case, I was away from my computer for a few days >> and was unable to make a release until I got back. --[[smcv]] + +> Are versions `3.20120629` or `3.20130904.1~bpo70+1` vulnerable? (`wheezy` and +> `wheezy-backports`, respectively) — [[Jon]] + +>> 3.20120629 is vulnerable; fixed in 3.20120629.2, which is in the proposed-updates +>> queue (the security team declined to issue a DSA). The blogspam plugin doesn't +>> work in wheezy either; again, a fix is in the proposed-updates queue. +>> +>> 3.20130904.1~bpo70+1 is almost certainly vulnerable, it looks as though someone +>> has done a drive-by backport but not kept it updated. None of ikiwiki's Debian +>> maintainers are involved in that backport; the .deb from jessie (or even from +>> experimental) works fine on wheezy without recompilation. I use the latest +>> upstream release from experimental on my otherwise-Debian-7 server. --[[smcv]] diff --git a/doc/security.mdwn b/doc/security.mdwn index 6488d7f9e..d5a0266cd 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -500,9 +500,9 @@ as version 3.20100815.9. An upgrade is recommended for all sites. ## XSS via openid selector -Raghav Bisht discovered this XSS in the openid selector. +Raghav Bisht discovered this XSS in the openid selector. ([[!cve CVE-2015-2793]]) The hole was reported on March 24th, a fix was developed on March 27th, -and the fixed version was released on the 29th. A fix was backported -to Debian wheezy as version 3.20141016.2. An upgrade is recommended for -sites using CGI and openid. +and the fixed version 3.20150329 was released on the 29th. A fix was backported +to Debian jessie as version 3.20141016.2 and to Debian wheezy as version +3.20120629.2. An upgrade is recommended for sites using CGI and openid.